MCP

Detect obfuscated malware in npm supply chains

npm supply-chain scanner catching obfuscated payloads, credential stealers, eBPF rootkits, and AI-key attacks that npm audit misses.

Works with npmgithubdockersnyksocket

91
Spark score
out of 100
Updated 23 days ago
Version 1.2.9

Add to Favorites

Why it matters

Scan npm packages and dependencies for advanced supply chain attacks that traditional tools miss-obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, worm propagation, and campaign-specific signatures from real-world incidents like Megalodon, Mini Shai-Hulud, TrapDoor, and node-ipc compromise.

Outcomes

What it gets done

01

Identify obfuscated preinstall hooks and eval chains using AST-level heuristic analysis

02

Detect conditional triggers that activate only in CI/CD or production environments

03

Catch typosquatting, HuggingFace org impersonation, and registry poisoning attempts

04

Export findings to SARIF, SBOM (CycloneDX/SPDX), SIEM formats, and compliance reports

Install

Add it to your toolbox

Run in your project directory:

curl -fsSL https://spark.entire.vc/get/lateos-ai-npm-scan | bash

Capabilities

Tools your agent gets

scan

Scans npm packages for supply chain attacks, obfuscation, malware, and campaign indicators

scan-lockfile

Analyzes package-lock.json, yarn.lock, and pnpm-lock.yaml for malicious dependencies

scan-vsix

Detects VS Code extension supply chain attacks and malicious marketplace packages

Overview

Npm Scan

What it does

Supply-chain security scanner for npm packages that detects behavioral attacks - obfuscated payloads, credential stealers, eBPF kernel rootkits, memory-level token extraction, GitHub author spoofing, and AI-platform-targeted attacks - that CVE-based tools like npm audit and Snyk miss.

How it connects

Use it to scan a package or an entire lockfile for supply-chain attacks before installing or shipping it, or as a CI/CD gate that fails a build on critical findings. It runs locally with no telemetry, in under 30 seconds per run.

Source README

npm-scan

npm version License Tests

Supply chain threat detection that catches what npm audit, Snyk, and Socket miss.

Detects obfuscated payloads, credential stealers, kernel rootkits, eBPF hooks, memory extraction, GitHub spoofing, and AI-targeted attacks.


Why npm-scan?

Traditional tools are outdated. npm audit checks CVE databases. Snyk scans dependency versions. Neither catches behavioral patterns.

The 2026 wave of attacks:

  • eBPF kernel rootkits (invisible to monitoring)
  • Memory-level credential extraction (OIDC tokens)
  • Self-defending code (anti-debugging, anti-tampering)
  • GitHub author spoofing ("claude@users.noreply.github.com")
  • AI platform targeting (Claude, OpenAI, Cursor, Mistral keys)
  • Worm-like propagation (auto-republish with stolen tokens)

npm-scan detects all of these. 95%+ confidence on real campaigns.


Coverage: npm-scan vs Industry Tools

Attack Vector npm-scan npm audit Snyk Socket Sonatype
Miasma/Hades (binding.gyp) ✅ 95% ❌ 0% ❌ 0% ⚠️ 40% ❌ 0%
eBPF Kernel Rootkit ✅ 95% ❌ 0% ❌ 0% ❌ 0% ❌ 0%
AI Token Targeting ✅ 98% ❌ 0% ❌ 0% ❌ 0% ❌ 0%
GitHub Author Spoofing ✅ 99% ❌ 0% ❌ 0% ❌ 0% ❌ 0%
Memory Credential Extraction ✅ 95% ❌ 0% ❌ 0% ⚠️ 20% ❌ 0%
Self-Defending Code ✅ 95% ❌ 0% ⚠️ 25% ⚠️ 45% ❌ 0%
Module-Load Execution ✅ 95% ❌ 0% ❌ 0% ⚠️ 50% ❌ 0%
Known CVEs ✅ Yes ✅ Yes ✅ Yes ✅ Yes ✅ Yes

Legend: ✅ = 85%+ detection | ⚠️ = 15-80% detection | ❌ = 0% detection


Risk Reduction & Compliance

Single tool approach = Blind spot = Expensive liability

A compromised npm package costs your company:

  • Data breach: $4.5M average (IBM, 2024)
  • Regulatory fines: SOC 2 violations ($100K+), GDPR ($10M+), compliance audits
  • Downtime: $5K-$50K per hour in lost revenue
  • Reputation: Brand damage, customer trust erosion
  • Legal: Lawsuits from affected customers, liability claims

Traditional tool alone misses behavioral attacks. If npm audit + Snyk see nothing, but attackers steal your AWS credentials via a behavioral pattern, you're liable.

npm-scan + npm audit = Complete coverage = Risk reduction

By catching the 95%+ of attacks that traditional tools miss, you reduce:

  • ✅ Breach probability (behavioral detection catches attacks before damage)
  • ✅ Compliance violation risk (due diligence: you used multiple detection methods)
  • ✅ Financial liability (auditors will ask: "How did you verify supply chain security?")
  • ✅ Customer impact (faster detection = faster remediation = fewer affected customers)

Cost-benefit: npm-scan ($2.4K/year enterprise) vs. data breach ($4.5M average). ROI: 1,875x.


What It Detects

Category Examples Detection
Credential Theft Env var harvesting, token exfiltration 98%
Kernel Attacks eBPF rootkits, privilege escalation 95%
Code Evasion Obfuscation, self-defending code, anti-debug 95%
Memory Extraction OIDC token access, AI key targeting 95%
GitHub Attacks Author spoofing, force-push hijacking 99%
Worm Propagation Auto-republish via stolen credentials 95%

Quick Start

# Install
npm install -g @lateos/npm-scan

# Scan a package with known vulnerabilities
npm-scan axios

# Scan your lockfile
npm-scan scan-lockfile

# Export findings to JSON
npm-scan express --json > findings.json

Key Features

  • 23 detectors (D1-D25) covering supply chain attack vectors
  • Real campaign validation (IronWorm, Miasma, Dependency Confusion)
  • Runs locally - no telemetry, no cloud dependency
  • Fast - <30 seconds per CI/CD run
  • Policy-as-code - YAML allowlists, severity overrides
  • SBOM + SARIF - CycloneDX, SPDX, GitHub Security
  • GitHub Action - One-liner CI/CD integration
  • Docker - Multi-arch images

Learn more: lateos.ai/npm-scan


CI/CD Integration

# GitHub Actions example
- name: Scan with npm-scan
  run: |
    npm install -g @lateos/npm-scan
    npm-scan scan-lockfile --fail-on critical

Works with GitHub Actions, GitLab CI, Jenkins, or any CI/CD platform.


Licensing

Free (MIT): Individuals, open-source projects, and teams evaluating for production - no time limit.
Paid (BLA): Required when your team ships to production commercially.

Evaluate freely. Purchase when you're ready to ship.

See LICENSING.md for details.

Commercial use? See licensing tiers - $799/yr (small team) to $9,900/yr (enterprise). Volume discounts available.


More


Scan your first package:

npx @lateos/npm-scan scan axios

Discussion

Questions & comments · 0

Sign In Sign in to leave a comment.